Nmap Network Exploration and Security Auditing Cookbook, 3rd Edition
- Length: 436 pages
- Edition: 3
- Language: English
- Publisher: Packt Publishing
- Publication Date: 2021-09-13
- ISBN-10: 1838649352
- ISBN-13: 9781838649357
- Sales Rank: #157228 (See Top 100 Books)
A complete reference guide to mastering Nmap and its scripting engine, covering practical tasks for IT personnel, security engineers, system administrators, and application security enthusiasts
Key Features
- Learn how to use Nmap and other tools from the Nmap family with the help of practical recipes
- Discover the latest and most powerful features of Nmap and the Nmap Scripting Engine
- Explore common security checks for applications, Microsoft Windows environments, SCADA, and mainframes
Book Description
Nmap is one of the most powerful tools for network discovery and security auditing used by millions of IT professionals, from system administrators to cybersecurity specialists. This third edition of the Nmap: Network Exploration and Security Auditing Cookbook introduces Nmap and its family – Ncat, Ncrack, Ndiff, Zenmap, and the Nmap Scripting Engine (NSE) – and guides you through numerous tasks that are relevant to security engineers in today’s technology ecosystems.
The book discusses some of the most common and useful tasks for scanning hosts, networks, applications, mainframes, Unix and Windows environments, and ICS/SCADA systems. Advanced Nmap users can benefit from this book by exploring the hidden functionalities within Nmap and its scripts as well as advanced workflows and configurations to fine-tune their scans. Seasoned users will find new applications and third-party tools that can help them manage scans and even start developing their own NSE scripts. Practical examples featured in a cookbook format make this book perfect for quickly remembering Nmap options, scripts and arguments, and more.
By the end of this Nmap book, you will be able to successfully scan numerous hosts, exploit vulnerable areas, and gather valuable information.
What you will learn
- Scan systems and check for the most common vulnerabilities
- Explore the most popular network protocols
- Extend existing scripts and write your own scripts and libraries
- Identify and scan critical ICS/SCADA systems
- Detect misconfigurations in web servers, databases, and mail servers
- Understand how to identify common weaknesses in Windows environments
- Optimize the performance and improve results of scans
Who this book is for
This Nmap cookbook is for IT personnel, security engineers, system administrators, application security enthusiasts, or anyone who wants to master Nmap and its scripting engine. This book is also recommended for anyone looking to learn about network security auditing, especially if they’re interested in understanding common protocols and applications in modern systems. Advanced and seasoned Nmap users will also benefit by learning about new features, workflows, and tools. Basic knowledge of networking, Linux, and security concepts is required before taking up this book.
Table of Contents
- Nmap Fundamentals
- Getting familiar with Nmap’s family
- Network Exploration
- Reconnaissance Tasks
- Scanning web servers
- Scanning databases
- Scanning Mail Servers
- Scanning Windows systems
- Scanning ICS SCADA Systems
- Scanning mainframes
- Optimizing Scans
- Generating Scan Reports
- Writing Your Own NSE Scripts
- Exploiting Vulnerabilities With The Nmap Scripting Engine
- Appendix A – HTTP, HTTP Pipelining, and Web Crawling Configuration Options
- Appendix B – Brute Force Password Auditing Options
- Appendix C – NSE Debugging
- Appendix D – Additional Output Options
- Appendix E – Introduction to Lua
- Appendix F – References and Additional Reading
Cover Title Page Copyright and Credits Contributors Table of Contents Preface Chapter 1: Nmap Fundamentals Technical requirements Building Nmap's source code Getting ready How to do it... How it works... There's more... Finding online hosts How to do it... How it works... There's more... Listing open ports on a target How to do it... How it works... There's more... Fingerprinting OSes and services running on a target How to do it... How it works... There's more... Using NSE scripts against a target host How to do it... How it works... There's more... Scanning random targets on the internet How to do it... How it works... There's more... Collecting signatures of web servers How to do it... How it works... There's more... Scanning with Rainmap Lite Getting ready How to do it... How it works... There's more... Chapter 2: Getting Familiar with Nmap's Family Monitoring servers remotely with Nmap and Ndiff Getting ready How to do it... How it works... There's more... Crafting ICMP echo replies with Nping How to do it... How it works... There's more... Managing multiple scanning profiles with Zenmap How to do it... How it works... There's more... Running Lua scripts against a network connection with Ncat How to do it... How it works... There's more... Discovering systems with weak passwords with Ncrack Getting ready How to do it... How it works... There's more... Using Ncat to diagnose a network client How to do it... How it works... There is more... Defending against Nmap service detection scans How to do it... How it works... There's more... Chapter 3: Network Scanning Discovering hosts with TCP SYN ping scans How to do it... How it works... There's more... Discovering hosts with TCP ACK ping scans How to do it... How it works... There's more... Discovering hosts with UDP ping scans How to do it... How it works... There's more... Selecting ports in UDP ping scans Discovering hosts with ICMP ping scans How to do it... How it works... There's more... Discovering hosts with SCTP INIT ping scans How to do it... How it works... There's more... Discovering hosts with IP protocol ping scans How to do it... How it works... There's more... Discovering hosts with ARP ping scans How to do it... How it works... There's more... Performing advanced ping scans How to do it... How it works... There's more... Discovering hosts with broadcast ping scans How to do it... How it works... There's more... Scanning IPv6 addresses How to do it... How it works... There's more... Spoofing the origin IP of a scan Getting ready How to do it... How it works… There's more... Using port scanning for host discovery How to do it... How it works... There's more... Chapter 4: Reconnaissance Tasks Performing IP address geolocation Getting ready How to do it... How it works... There's more... Getting information from WHOIS records How to do it... How it works... There's more... Obtaining traceroute geolocation information How to do it... How it works... There's more... Querying Shodan to obtain target information Getting ready How to do it... How it works... There's more... Collecting valid email accounts and IP addresses from web servers How to do it... How it works... There's more... Discovering hostnames pointing to the same IP address How to do it... How it works... There's more... Discovering hostnames by brute-forcing DNS records How to do it... How it works... There's more... Matching services with public vulnerability advisories and picking the low-hanging fruit How to do it... How it works... There's more... Chapter 5: Scanning Web Servers Listing supported HTTP methods How to do it... How it works... There's more... Discovering interesting files and folders on web servers How to do it... How it works... There's more... Brute forcing HTTP authentication How to do it... How it works... There's more... Brute forcing web applications How to do it... How it works... There's more... Detecting web application firewalls How to do it... How it works... There's more... Detecting possible XST vulnerabilities How to do it... How it works... There's more... Detecting XSS vulnerabilities How to do it... How it works... There's more... Finding SQL injection vulnerabilities How to do it... How it works... There's more… Finding web applications with default credentials How to do it... How it works... There's more... Detecting insecure cross-domain policies How to do it... How it works... There's more... Detecting exposed source code control systems How to do it... How it works... There's more... Auditing the strength of cipher suites in SSL servers How to do it... How it works... There's more... Chapter 6: Scanning Databases Listing MySQL databases How to do it… How it works... There's more... Listing MySQL users How to do it... How it works… There's more... Listing MySQL variables How to do it... How it works... There's more... Brute forcing MySQL passwords How to do it... How it works... There's more... Finding root accounts with an empty password in MySQL servers How to do it... How it works... There's more... Detecting insecure configurations in MySQL servers How to do it... How it works... There's more... Brute forcing Oracle passwords How to do it... How it works... There's more... Brute forcing Oracle SID names How to do it... How it works... There's more... Retrieving information from MS SQL servers How to do it... How it works... There's more... Brute forcing MS SQL passwords How to do it... How it works... There's more... Dumping password hashes of MS SQL servers How to do it... How it works... There's more... Running commands through xp_cmdshell in MS SQL servers How to do it... How it works... There's more... Finding system administrator accounts with empty passwords in MS SQL servers How to do it... How it works... There's more... Obtaining information from MS SQL servers with NTLM enabled How to do it... How it works... There's more... Retrieving MongoDB server information How to do it... How it works... There's more... Detecting MongoDB instances with no authentication enabled How to do it... How it works... There's more... Listing MongoDB databases How to do it... How it works... There's more... Listing CouchDB databases How to do it... How it works... There's more... Retrieving CouchDB database statistics How to do it... How it works... There's more... Detecting Cassandra databases with no authentication enabled How to do it... How it works... There's more... Brute forcing Redis passwords How to do it... How it works... There's more... Chapter 7: Scanning Mail Servers Detecting SMTP open relays How to do it... How it works... There's more... Brute-forcing SMTP passwords How to do it... How it works... There's more... Detecting suspicious SMTP servers How to do it... How it works... There's more... Enumerating SMTP usernames How to do it... How it works... There's more... Brute-forcing IMAP passwords How to do it... How it works... There's more... Retrieving the capabilities of an IMAP server How to do it... How it works... There's more... Brute-forcing POP3 passwords How to do it... How it works... There's more... Retrieving the capabilities of a POP3 server How to do it... How it works... There's more... Retrieving information from SMTP servers with NTLM authentication How to do it... How it works... There's more... Chapter 8: Scanning Windows Systems Obtaining system information from SMB How to do it... How it works... There's more... Detecting Windows clients with SMB signing disabled How to do it... How it works... There's more... Detecting IIS web servers that disclose Windows 8.3 names How to do it... How it works... There's more... Detecting Windows hosts vulnerable to MS08-067 and MS17-010 How to do it... How it works... There's more... Retrieving the NetBIOS name and MAC address of a host How to do it... How it works... There's more... Enumerating user accounts of Windows targets How to do it... How it works... There's more... Enumerating shared folders How to do it... How it works... There's more... Enumerating SMB sessions How to do it... How it works... There's more... Finding domain controllers How to do it... How it works... There's more… Detecting the Shadow Brokers' DOUBLEPULSAR SMB implants How to do it... How it works... There's more... Listing supported SMB protocols How to do it... How it works... There's more... Detecting vulnerabilities using the SMB2/3 boot-time field How to do it... How it works... There's more... Detecting whether encryption is enforced in SMB servers How to do it... How it works... There's more... Chapter 9: Scanning ICS/SCADA Systems Finding common ports used in ICS/SCADA systems How to do it... How it works... There's more... Finding HMI systems How to do it... How it works... There's more... Enumerating Siemens SIMATIC S7 PLCs How to do it... How it works... There's more... Enumerating Modbus devices How to do it... How it works... There's more... Enumerating BACnet devices How to do it... How it works... There's more... Enumerating Ethernet/IP devices How to do it... How it works... There's more... Enumerating Niagara Fox devices How to do it... How it works... There's more... Enumerating ProConOS devices How to do it... How it works... There's more... Enumerating Omrom PLC devices How to do it... How it works... There's more... Enumerating PCWorx devices How to do it... How it works... Chapter 10: Scanning Mainframes Listing CICS transaction IDs in IBM mainframes How to do it... How it works... There's more... Enumerating CICS user IDs for the CESL/CESN login screen How to do it... How it works... There's more... Brute-forcing z/OS JES NJE node names How to do it... How it works... There's more... Enumerating z/OS TSO user IDs How to do it... How it works... There's more... Brute-forcing z/OS TSO accounts How to do it... How it works... There's more... Listing VTAM application screens How to do it... How it works... There's more... Chapter 11: Optimizing Scans Skipping phases to speed up scans How to do it... How it works... There's more... Selecting the correct timing template How to do it... How it works... There's more... Adjusting timing parameters How to do it... There's more... Adjusting performance parameters How to do it... How it works... There's more... Adjusting scan groups How to do it... There's more... Distributing a scan among several clients using dnmap Getting ready How to do it... How it works... There's more... Chapter 12: Generating Scan Reports Saving scan results in a normal format How to do it... How it works... There's more... Saving scan results in an XML format How to do it... How it works... There's more... Saving scan results to a SQLite database Getting ready How to do it... How it works... There's more... Saving scan results in a grepable format How to do it... How it works... There's more... Generating a network topology graph with Zenmap How to do it... How it works... There's more... Generating HTML scan reports Getting ready How to do it... How it works... There's more... Reporting vulnerability checks How to do it... How it works... There's more... Generating PDF reports with fop Getting ready How to do it... How it works... There's more... Saving NSE reports in Elasticsearch Getting ready How to do it... How it works... There's more... Visualizing Nmap scan results with IVRE Getting ready How to do it... How it works... There's more... Chapter 13: Writing Your Own NSE Scripts Making HTTP requests to identify vulnerable Supermicro IPMI/BMC controllers How to do it... How it works... There's more... Sending UDP payloads using NSE sockets How to do it... How it works... There's more... Generating vulnerability reports in NSE scripts How to do it... How it works... There's more... Exploiting an SMB vulnerability How to do it... How it works... There's more... Writing brute-force password auditing scripts How to do it... How it works... There's more... Crawling web servers to detect vulnerabilities How to do it... How it works... There's more... Working with NSE threads, condition variables, and mutexes in NSE How to do it... How it works... There's more... Writing a new NSE library in Lua How to do it... How it works... There's more... Writing a new NSE library in C/C++ How to do it... How it works... There's more... Getting your scripts ready for submission How to do it... How it works... There's more... Chapter 14: Exploiting Vulnerabilities with the Nmap Scripting Engine Generating vulnerability reports in NSE scripts How to do it... How it works... There's more... Writing brute-force password auditing scripts How to do it... How it works... There's more... Crawling web servers to detect vulnerabilities How to do it... How it works... There's more... Exploiting SMB vulnerabilities How to do it... How it works... There's more... Appendix A– HTTP, HTTP Pipelining, and Web Crawling Configuration Options HTTP user agent HTTP pipelining Configuring the NSE httpspider library Appendix B – Brute-Force Password Auditing Options Brute modes Appendix C – NSE Debugging Debugging NSE scripts Exception handling Appendix D – Additional Output Options Saving output in all formats Appending Nmap output logs Including debugging information in output logs Including the reason for a port or host state OS detection in verbose mode Appendix E – Introduction to Lua Flow control structures Conditional statements – if, then, elseif Loops – while Loops – repeat Loops – for Data types String handling Character classes Magic characters Patterns Captures Repetition operators Concatenation Finding substrings String repetition String length Formatting strings Splitting and joining strings Common data structures Tables Arrays Linked lists Sets Queues Custom data structures I/O operations Modes Opening a file Reading a file Writing a file Closing a file Coroutines Creating a coroutine Executing a coroutine Determining the current coroutine Getting the status of a coroutine Yielding a coroutine Metatables Arithmetic metamethods Relational metamethods Things to remember when working with Lua Comments Dummy assignments Indexes Semantics Coercion Safe language Booleans Appendix F – References and Additional Reading Other Books You May Enjoy Index
Donate to keep this site alive
How to download source code?
1. Go to: https://github.com/PacktPublishing
2. In the Find a repository… box, search the book title: Nmap Network Exploration and Security Auditing Cookbook, 3rd Edition
, sometime you may not get the results, please search the main title.
3. Click the book title in the search results.
3. Click Code to download.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.